pe ! 
‘ 


Ln ae? 
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30 January 1976 


MEMORANDUM FOR: Director of Joint Computer Support 


SUBJECT : Privacy Act of 1974 


iy Attached is my critique of the DoDCI Computer System 
Privacy Course which I attended last week. To summarize, it 
is an excellent course and I recommend that our people attend. 
The course provides a greater awareness of the vulnerabilities 
of computer systems and the simple safeguards which can be 
implemented to protect them. It emphasizes the fact that 
everyone involved must understand why safeguards are imposed 
and cooperate in their use, or they may subvert and thwart a 
set of controls which they view as being arbitrarily imposed. 


2. In view of recent events in several areas which 
have pointed out our vulnerabilities internally and on the 
customers' side, I intend to brief OJCS employees on the 
Privacy Act, using material supplied in the DoDCI course, and 
try to get started on security and privacy audits of our 
systems of records. I believe we are going to have to be in 
a position to show documented proof of what we are doing to 
ensure compliance with the Privacy Act. 


3% I believe we are in better shape than most agencies 
with regard to the control and accuracy of computer files. 
Procedures do exist. But as in many areas of data processing, 
we have not done a thorough job of documentation because the 
incentives and pressures did not exist. With the Privacy Act 
and the threat of OMB audit, the incentive is now there. 


STATINTL 


Executive Officer, OJCS 
Attachment: a/s 


cc: Div/Staff Chiefs, OJCS 
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19. 


This is an excellent course taught by qualified and 
skilled instructors who have combined course material 

from Computer Security courses with new material developed 
especially to address the Privacy Act of 1974. In this 
respect, it is a good multipurpose course for anyone 
working with computer-based information systems which 
contain classified data or data subject to the Privacy 
Act. 


This course.develops an understanding of the types of 
action necessary to design, manage and protect an auto- 
mated "system of records", whether containing classified 
or "privacy" data. Instruction is directed to the major 
requirements of the law and their impact upon the data 
processing environment. Problems of data accuracy, 
privacy, and confidentiality are placed in perspective | 
by providing a "total systems" approach to the diagnosis 
of the operational data processing environment. The 
emphasis is on the simple and practical safeguards which 
are currently available. Some of the material can also 
be found in standard computer systems analysis courses 
but much of it is unique to secure systems and not 
covered in commercial courses. Since the Act currently 
applies only to the Federal Government, it is not likely 
that commericial ADP training will be developed to cover 
the law. Also, the Agency computer systems have more 

in common with DoD than with the civilian agencies who 
will be trying to follow the Act. 


The actual topics covered, in sessions ranging from 
one to two hours, in order of presentation, are as 
follows: 


Privacy Act of 1974 (PL 93-579) (includes DoD 
film on subject) 

Discussion of Privacy Act 

Analysis and Planning for Privacy 

Controls for Data Base Accuracy 

Disclosure Accounting and Dispute Handling 

Computer System Vulnerabilities 

Computer Resource Protection 

Data Base Protection 

Physical Access, Media and Personnel Controls 

Terminal Protection 

Administration and Auditing 

Privacy and Employee Education (includes set of 
visual aid masters and notes for employee 
briefing on return from course) 
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20. 


I highly recommend attendance at this course by any 
Agency employee responsible for the design, development, 
operation, or use of a computer based system containing 
information on individuals. Ideally, computer specialists 
and customers involved with a particular system should 
attend as a team. This is particularly important be- 
cause the course stresses the shared responsibility of. 
the computer specialists and computer users for ensuring 
that the provisions of the Privacy Act have been applied 
to computer. based systems of records. It would be advis- 
able for them to be familiar with the Agency regulation 
regarding implementation of the Privacy Act and the 
Systems of Records reported in the Federal Register by 
CIA. The course is scheduled for 50 runnings, one a 
week, on Tuesday through Thursday, over the next year. 
Four have been given as of 29 January 1976. 


The speakers for this course, who I assume will remain 


the same for future runnings, are all competent and 


skilled instructors who know their material. They brief 
well in the traditional military style and use good visual 
aids. They also encourage questions and discussion. 


One notable speaker is Lt. Cdr. G. Fairgrieve of the 
Royal Navy. He is extremely knowledgeable in the area 
of technical and procedural safeguards for computer 
installations, and is an entertaining speaker. 
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